LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-15-2014, 02:03 AM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Status Update: Slackware LQ Security Thread


Hi.

Many of you are familiar with [Slackware security] vulnerabilities outstanding 20140101 (aka "the security thread"). For those who aren't,
it's a thread where slackers (ranging from security-conscious end users to admins seeking to harden their systems) share and discuss
security concerns with a focus on solutions.

Unfortunately, its high posting volume makes navigating it a bit of a challenge.

To help with this, I recently put together a status report covering the period from 20140101 (thread's birth) through 20141014.

As was suggested to me, I am re-posting it here to raise visibility.

--mancha

Code:
			LQ Slackware Vulnerability Thread Status Report (20141014)				
				
Package		CVE ID(s)	Posted		Reference	Status		Slackware Advisory

glibc		CVE-2012-4424	20131026	LQ Post		Vulnerable	
		CVE-2012-4412	20140620	2nd Post
		CVE-2013-4237
		CVE-2013-4788
		CVE-2013-4458

curl		CVE-2013-4545	20140101	LQ Post		Fixed		Advisory
		CVE-2013-6422

php		CVE-2013-6420	20140101	LQ Post		Fixed		Advisory

libgcrypt(gpg2)	CVE-2013-4576	20140101	LQ Post		Vulnerable
				20140909	Update

samba		CVE-2013-4408	20140101	LQ Post		Fixed		Advisory
		CVE-2012-6150

xorg-server	CVE-2013-6424	20140101	LQ Post		Vulnerable

pixman		CVE-2013-6425	20140101	LQ Post		Vulnerable

openssl		CVE-2013-6449	20140106	LQ Post		Fixed		Advisory
		CVE-2013-6450
		CVE-2013-4353

libxfont	CVE-2013-6462	20140107	LQ Post		Fixed		Advisory

bind		CVE-2014-0591	20140114	LQ Post		Fixed		Advisory

curl		CVE-2014-0015	20140131	LQ Post		Fixed		Advisory
		CVE-2013-6422
		CVE-2013-4545

kernel		CVE-2014-0038	20140131	LQ Post		Fixed		Advisory

stunnel		CVE-2013-1762	20140207	LQ Post		Vulnerable

poppler		CVE-2013-7296	20140209	LQ Post		Vulnerable

icu4c		CVE-2013-2924	20131019	LQ Post		Vulnerable
				20140211	2nd Post

mariadb		CVE-2014-0001	20140211	LQ Post		Fixed		Advisory

python		CVE-2014-1912	20140212	LQ Post		Vulnerable

gnutls		CVE-2014-1959	20140214	LQ Post		Fixed		Advisory

file		CVE-2014-1943	20140218	LQ Post		Vulnerable

imagemagick	CVE-2014-1958	20140222	LQ Post		Vulnerable
		CVE-2014-2030

gnutls		CVE-2014-0092	20140304	LQ Post		Fixed		Advisory

libssh		CVE-2014-0017	20140314	LQ Post		Vulnerable

file		CVE-2014-2270	20140314	LQ Post		Vulnerable

php		CVE-2014-1943	20140314	LQ Post		Fixed		Advisory
		CVE-2014-2270

freetype	CVE-2014-2240	20140314	LQ Post		Vulnerable
		CVE-2014-2241

udisks		CVE-2014-0004	20140314	LQ Post		Fixed		Advisory

udisks2		CVE-2014-0004	20140314	LQ Post		Fixed		Advisory

mutt		CVE-2014-0467	20140314	LQ Post		Fixed		Advisory

samba		CVE-2013-4496	20140314	LQ Post		Fixed		Advisory
		CVE-2013-6442

httpd		CVE-2014-0098	20140319	LQ Post		Fixed		Advisory
		CVE-2013-6438

curl		CVE-2014-0138	20140327	LQ Post		Fixed		Advisory
		CVE-2014-0139

openssh		CVE-2014-2653	20140407	LQ Post		Vulnerable

kernel		CVE-2014-2523	20140407	LQ Post		Vulnerable

openssl		CVE-2014-0160	20140407	LQ Post		Fixed		Advisory
		CVE-2014-0076

rsync		CVE-2014-2855	20140414	LQ Post		Vulnerable

kernel		CVE-2014-2706	20140421	LQ Post		Vulnerable

php		CVE-2014-0185	20140429	LQ Post		Fixed		Advisory

libxfont	CVE-2014-0209	20140515	LQ Post		Vulnerable
		CVE-2014-0210
		CVE-2014-0211

kernel		CVE-2014-0196	20140515	LQ Post		Vulnerable

mariadb		CVE-2014-0384	20140521	LQ Post		Fixed		Advisory
		CVE-2014-2419
		CVE-2014-2430
		CVE-2014-2431
		CVE-2014-2432
		CVE-2014-2436
		CVE-2014-2438
		CVE-2014-2440

gnutls		CVE-2014-3466	20140530	LQ Post		Fixed		Advisory

libtasn1	CVE-2014-3467	20140530	LQ Post		Fixed		Advisory
		CVE-2014-3468
		CVE-2014-3469

sendmail	CVE-2014-3956	20140602	LQ Post		Fixed		Advisory

php		CVE-2014-0237	20140604	LQ Post		Fixed		Advisory
		CVE-2014-0238

openssl		CVE-2014-0224	20140605	LQ Post		Fixed		Advisory
		CVE-2014-0221
		CVE-2014-0195
		CVE-2014-0198
		CVE-2010-5298
		CVE-2014-3470

kernel		CVE-2014-3153	20140606	LQ Post		Vulnerable

bind		CVE-2014-0591	20140612	LQ Post		Fixed		Advisory

glibc		CVE-2014-4043	20140620	LQ Post		Vulnerable

samba		CVE-2014-0239	20140621	LQ Post		Fixed		Advisory
		CVE-2014-0178

samba		CVE-2014-0244	20140623	LQ Post		Fixed		Advisory
		CVE-2014-3493

gnupg1		CVE-2014-4617	20140624	LQ Post		Fixed		Advisory

gnupg2		CVE-2014-4617	20140624	LQ Post		Fixed		Advisory

php		CVE-2014-0207	20140626	LQ Post		Fixed		Advisory
		CVE-2014-3478
		CVE-2014-3479
		CVE-2014-3480
		CVE-2014-3487
		CVE-2014-3515
		CVE-2014-3981
		CVE-2014-4049

httpd		CVE-2014-0231	20140720	LQ Post		Fixed		Advisory
		CVE-2014-0117
		CVE-2014-0118
		CVE-2014-0226

samba		CVE-2014-3560	20140801	LQ Post		Fixed		Advisory

openssl		CVE-2014-3508	20140807	LQ Post		Fixed		Advisory
		CVE-2014-5139
		CVE-2014-3509
		CVE-2014-3505
		CVE-2014-3506
		CVE-2014-3507
		CVE-2014-3510
		CVE-2014-3511
		CVE-2014-3512

glibc		CVE-2014-0475	20140906	LQ Post		Vulnerable
		CVE-2014-5119

procmail	CVE-2014-3618	20140906	LQ Post		Vulnerable

gpgme		CVE-2014-3564	20140906	LQ Post		Vulnerable

dbus		CVE-2014-3532	20140906	LQ Post		Vulnerable
		CVE-2014-3533
		CVE-2014-3477

lzo		CVE-2014-4607	20140906	LQ Post		Vulnerable

file		CVE-2014-3587	20140906	LQ Post		Vulnerable

subversion	CVE-2014-3522	20140906	LQ Post		Vulnerable
		CVE-2014-3528

ppp		CVE-2014-3158	20140909	LQ Post		Vulnerable

curl		CVE-2014-3613	20140913	LQ Post		Vulnerable
		CVE-2014-3620

dbus		CVE-2014-3635	20140916	LQ Post		Vulnerable
		CVE-2014-3636
		CVE-2014-3637
		CVE-2014-3638
		CVE-2014-3639

net-snmp	CVE-2014-2284	20140922	LQ Post		Vulnerable
		CVE-2014-3565

bash		CVE-2014-6271	20140924	LQ Post		Fixed		Advisory

bash		CVE-2014-7169	20140924	LQ Post		Fixed		Advisory

bash		CVE-2014-7186	20140926	LQ Post		Vulnerable (a)
		CVE-2014-7187

sysklogd	CVE-2014-3634	20140930	LQ Post		Vulnerable
				20141003	2nd Post

bash		CVE-2014-6277	20141001	LQ Post		Vulnerable (a)
		CVE-2014-6278

python		CVE-2013-1752	20141013	LQ Post		Vulnerable
		CVE-2014-4616
		CVE-2014-4650
		CVE-2014-7185

getmail4	CVE-2014-7273	20141013	LQ Post		Vulnerable
		CVE-2014-7274
		CVE-2014-7275

libvncserver	CVE-2014-6501	20141013	LQ Post		Vulnerable
		CVE-2014-6502
		CVE-2014-6503
		CVE-2014-6504
		CVE-2014-6505

vim (ctags)	CVE-2014-7204	20141013	LQ Post		Vulnerable

----
(a) The Bash affix hardening patch Slackware deployed on 20140929 largely mitigates.

Last edited by mancha; 10-18-2014 at 01:27 AM. Reason: eman
 
Old 10-15-2014, 03:47 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 7,912

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Thanks for a comprehensive update.

So Slackware-current is still vulnerable where you listed it as such. I know those with servers online will take one attitude. For the ordinary user, how many of these matter?

Last edited by business_kid; 10-15-2014 at 05:35 AM.
 
1 members found this post helpful.
Old 10-15-2014, 12:41 PM   #3
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by business_kid View Post
For the ordinary user, how many of these matter?
Hi.

Great question with no simple answer. After all, levels of risk aversion, use case profiles, etc. vary considerably by user (i.e. security is
not one-size-fits-all). Gurus and seasoned users can provide guidelines and recommendations to novices but ultimately each user needs
to answer that question for themselves.

The thread doesn't attempt to decide for you what should matter. Rather, in Slackwarian fashion, issue/solution sets are shared and
discussed unfiltered. That way individual slackers can make informed decisions about which security situations are of concern to them.

--mancha

Last edited by mancha; 10-15-2014 at 12:43 PM.
 
4 members found this post helpful.
Old 10-15-2014, 07:15 PM   #4
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Thanks mancha, I like this thread a lot better than the original. Clear, concise, to the point and a great disclaimer that the user needs to decide for themselves, I couldn't have put it better. Keep it up.
 
Old 10-16-2014, 07:45 AM   #5
sanjioh
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 91

Rep: Reputation: Disabled
wpa_supplicant v2.3 fixes CVE-2014-3686 (http://www.securityfocus.com/bid/70396/info)
This is quite urgent since it could lead to RCE.

Changelog of wpa_supplicant v2.3
http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
 
1 members found this post helpful.
Old 11-04-2014, 01:55 PM   #6
Poprocks
Member
 
Registered: Sep 2003
Location: Toronto, Canada
Distribution: Slackware
Posts: 243

Rep: Reputation: 55
I guess I should finally upgrade my server from 14.0 to 14.1 given that there is now at least one set of security updates (ie, glibc) that have not been applied to 14.0 which still runs a vulnerable version of glibc according to the literature I have read.
 
Old 11-06-2014, 11:26 PM   #7
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-Current
Posts: 6,392
Blog Entries: 15

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
Curious because it just came out recently, but how is ConsoleKit-0.4.5 used by Slackware compared to ConsoleKit2-0.9.2 in terms of code vulnerability?
 
Old 03-24-2015, 01:29 PM   #8
rob.rice
Member
 
Registered: Apr 2004
Distribution: slack what ever
Posts: 998

Rep: Reputation: 167Reputation: 167
can slackpkg be used to automagicly update the system from the list posted at slackware.com
if so HOW?
 
Old 03-24-2015, 09:57 PM   #9
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 3,595

Rep: Reputation: 931Reputation: 931Reputation: 931Reputation: 931Reputation: 931Reputation: 931Reputation: 931Reputation: 931
yes, that's what slackpkg is used for
 
Old 03-25-2015, 07:03 AM   #10
bassmadrigal
Senior Member
 
Registered: Nov 2003
Location: Newport News, VA
Distribution: Slackware
Posts: 3,956

Rep: Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952Reputation: 1952
Automagically? Not that I'm aware of without scripting it. But you probably shouldn't do it automatically so you can decide what new configs to keep, merge, or discard.

Just make sure you have a server selected in the mirrors file, then run the commands to check for updates and then to upgrade the packages.
 
Old 03-25-2015, 09:07 AM   #11
mancha
Member
 
Registered: Aug 2012
Posts: 484

Original Poster
Rep: Reputation: Disabled
Hello rob.rice, willysr, bassmadrigal.

I request you move this to a more appropriate thread. The purpose of this low-traffic thread is to provide occasional status updates for the security thread. Thanks.
 
5 members found this post helpful.
Old 04-07-2015, 09:07 AM   #12
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 WMaker/XFCE
Posts: 307

Rep: Reputation: 70
Hi mancha, thank you for this excellent summary thread and the links.
1) Any chance you might make a follow-up thread, or include in this one, how one should do a basic security of their Slackware?
2) Any chance you might provide instructions for earlier Slackware releases on how to build the Advisory for their release?
3) For newbies, any chance you might include a link to "updating using "&make&&makeinstall" or "slackpkg upgrade <app>" type instructions?
 
Old 04-17-2015, 12:17 AM   #13
Thom1b
Member
 
Registered: Mar 2010
Location: France
Distribution: Slackware
Posts: 162

Rep: Reputation: 106Reputation: 106
php-5.4.40.

Hi,

Quote:
The PHP development team announces the immediate availability of PHP
5.4.40. 14 security-related bugs were fixed in this release, including
CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352.
http://fr2.php.net/distributions/php-5.4.40.tar.bz2
http://fr2.php.net/distributions/php-5.4.40.tar.bz2.asc
 
Old 10-07-2015, 11:54 AM   #14
pcninja
Member
 
Registered: Oct 2013
Location: SE Wisconsin, USA
Distribution: Slackware
Posts: 82

Rep: Reputation: Disabled
Can we get a more up-to-date list?
 
Old 06-08-2016, 08:49 AM   #15
hendrickxm
Member
 
Registered: Feb 2014
Posts: 202

Rep: Reputation: Disabled
Quote:
Originally Posted by pcninja View Post
Can we get a more up-to-date list?
That would be great, thanks for the effort you put into this.
 
  


Reply

Tags
security, slackware, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible issue with thread last update times and unread status mattca LQ Suggestions & Feedback 7 03-30-2012 02:29 PM
Security update and hardware: To Slackware or not to Slackware... Vrajgh Slackware 29 12-04-2007 04:35 PM
Slackware security update/package update Michael_aust Slackware 6 10-04-2006 08:19 PM
Slackware Security Update: GDM security update phoeniXflame Slackware 2 08-26-2003 04:21 PM


All times are GMT -5. The time now is 11:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration